Privacy Policy

1. Introduction

Kounisou Inc. ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our fitness coaching platform ("Service").

This policy complies with the General Data Protection Regulation (GDPR) for EU users and the California Consumer Privacy Act (CCPA) for California residents.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, password
• Profile Information: Bio, certifications, specialties, business name, social media handles, profile photo
• Health Data: Body measurements (weight, height, body fat percentage), activity data (steps, workouts), sleep data, heart rate, nutrition logs, health conditions, fitness goals
• Payment Information: Processed by Stripe (we do not store credit card numbers)
• Communication Data: Messages between coaches and clients, check-in responses, support inquiries

2.2 Automatically Collected Information

• Device Information: IP address, browser type, operating system, device identifiers
• Usage Data: Pages viewed, features used, time spent, actions taken
• Performance Data: Error logs, crash reports, API response times
• Location Data: Approximate location from IP address (not GPS tracking)

2.3 Data from Third Parties

• OAuth providers (Google, Apple) for authentication
• Health data imports from Apple Health or Health Connect (with your permission)
• Payment data from Stripe

3. How We Use Your Information

3.1 Service Delivery

• Provide and maintain the platform
• Enable communication between coaches and clients
• Process payments and subscriptions
• Personalize workout and nutrition recommendations
• Track progress and generate reports

3.2 AI Features

• Generate personalized workout plans
• Create meal plans based on dietary preferences
• Analyze progress and suggest adjustments
• Parse food logs and estimate nutrition

Important: We use a third-party AI provider to power these features. Your data is sent to the AI provider with privacy protections (no personal identifiers in prompts, data not used for AI training).

3.3 Analytics and Improvement

• Analyze usage patterns to improve features
• Monitor performance and fix bugs
• Conduct A/B testing for new features
• Generate anonymized aggregate statistics

3.4 Communications

• Send transactional emails (password resets, receipts)
• Notify you of important account activity
• Send marketing emails (only with your consent, easily unsubscribe)
• Respond to support requests

3.5 Legal Compliance

• Comply with legal obligations
• Enforce our Terms of Service
• Prevent fraud and abuse
• Respond to legal requests

4. Legal Basis for Processing (GDPR)

For EU users, we process your data under the following legal bases:

• Contract: Processing necessary to provide the Service you signed up for
• Consent: Health data processing, marketing emails, optional features
• Legitimate Interest: Analytics, fraud prevention, service improvement (where not overridden by your rights)
• Legal Obligation: Compliance with tax, accounting, and legal requirements

5. Data Sharing and Disclosure

5.1 We DO NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

5.2 Service Providers

We share data with trusted third-party service providers who help us operate the Service:

• Hosting: Database and file storage
• AI Provider: Workout and meal plan generation (data anonymized, not used for training)
• Payment Processing: Stripe (processes payments, does not share data with us beyond transaction details)
• Email Delivery: Transactional email service
• Analytics: Usage analytics and error monitoring
• Security: DDoS protection, firewall, CDN

All service providers are bound by data protection agreements and may only use your data to provide services to us.

5.3 Within the Platform

• Client data is shared with their assigned Coach (and only their Coach)
• Coach profile information is visible to their clients and on public coach profiles
• Multi-coach teams (Studio plan) share access to client data within their organization

5.4 Legal Requirements

We may disclose your information if required by law, court order, subpoena, or to protect our rights, safety, or property.

6. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Authentication: Secure password hashing (bcrypt), optional multi-factor authentication
• Access Control: Row-level security on all database tables, role-based permissions
• Infrastructure: Regular security audits, automated vulnerability scanning, DDoS protection
• Monitoring: Real-time error tracking, suspicious activity alerts

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

7. Cookies and Tracking

We use cookies and similar technologies to improve your experience. See our Cookie Policy for details.

Cookie Types:

• Essential: Authentication, session management (required)
• Analytics: Usage tracking, performance monitoring (optional, consent-based)
• Preferences: Theme, language settings (optional)

8. Data Retention

We retain your data for as long as necessary to provide the Service and comply with legal obligations:

• Active Accounts: Data retained while your account is active
• Deleted Accounts: 30-day grace period, then permanent deletion
• Legal Retention: Billing records (7 years), transaction logs (as required by law)
• Analytics Data: Anonymized data may be retained indefinitely

9. Your Privacy Rights

9.1 GDPR Rights (EU Users)

• Right to Access: Request a copy of your data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion of your data
• Right to Data Portability: Export your data in a machine-readable format
• Right to Restriction: Limit how we process your data
• Right to Object: Object to processing based on legitimate interest
• Right to Withdraw Consent: Withdraw consent for optional data processing
• Right to Lodge a Complaint: File a complaint with your local data protection authority

9.2 CCPA Rights (California Residents)

• Right to Know: What personal information we collect, use, and share
• Right to Delete: Request deletion of your personal information
• Right to Opt-Out: We do not sell personal information
• Right to Non-Discrimination: We will not discriminate for exercising your rights

9.3 How to Exercise Your Rights

You can exercise most rights directly in your account settings:

• Export Data: Settings → Advanced → Export All Data
• Delete Account: Settings → Advanced → Delete Account
• Manage Consent: Cookie banner, notification settings

For other requests, contact our Data Protection Officer at privacy@kounisou.com. We will respond within 30 days.

10. Children's Privacy

Our Service is not intended for children:

• EU Users: Must be at least 16 years old (health data requires parental consent below 16)
• Other Jurisdictions: Must be at least 13 years old

If we become aware that we have collected data from a child without proper consent, we will delete it promptly.

11. International Transfers

Your data may be transferred to and processed in countries outside your residence. We ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs) for EU data transfers
• Service providers certified under privacy frameworks
• Adequate security measures regardless of location

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via:

• Email to your registered address
• In-app notification
• Notice on our website

The "Last updated" date at the top of this policy reflects when changes were made. Continued use after changes constitutes acceptance.

13. Contact Us

For privacy-related questions or to exercise your rights:

• Data Protection Officer (DPO): privacy@kounisou.com
• General Support: support@kounisou.com
• Legal Entity: Kounisou Inc.